From 173455de229d0d207c9ce6c802dcb198a8aefed7 Mon Sep 17 00:00:00 2001
From: Michael Friedrich <michael.friedrich@icinga.com>
Date: Mon, 10 Sep 2018 16:10:16 +0200
Subject: [PATCH] Call SSL_shutdown() at least twice

---
 lib/base/tlsstream.cpp | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/base/tlsstream.cpp b/lib/base/tlsstream.cpp
index e3c232bd0..a694f86bf 100644
--- a/lib/base/tlsstream.cpp
+++ b/lib/base/tlsstream.cpp
@@ -398,7 +398,20 @@ void TlsStream::CloseInternal(bool inDestructor)
 	if (!m_SSL)
 		return;
 
-	(void)SSL_shutdown(m_SSL.get());
+	/* https://www.openssl.org/docs/manmaster/man3/SSL_shutdown.html
+	 *
+	 * It is recommended to do a bidirectional shutdown by checking
+	 * the return value of SSL_shutdown() and call it again until
+	 * it returns 1 or a fatal error. A maximum of 2x pending + 2x data
+	 * is recommended.
+         */
+	int rc = 0;
+
+	for (int i = 0; i < 4; i++) {
+		if ((rc = SSL_shutdown(m_SSL.get())))
+			break;
+	}
+
 	m_SSL.reset();
 
 	m_Socket->Close();
-- 
2.40.0